5 Best Practices for Manufacturing Cybersecurity
A Department of Defense (DoD) push to protect data by vetting suppliers more thoroughly illuminates how any CNC machining business can improve.
Share
Hwacheon Machinery America, Inc.
Featured Content
View MoreIs your customers’ data secure? Most leaders of CNC machining businesses likely would say “yes,” but answering in the affirmative is no longer enough for those seeking sensitive defense-industry work. The struggle to meet new government standards shows the extent to which basic cybersecurity best practices can differentiate not only these manufacturers, but virtually any shop trusted with sensitive data.
Our expansive July 2019 issue cover story, “How to Become a Defense Supplier,” touched on more than cybersecurity.
This was the subject of a recent conversation with David Watts, solution consultant at Avatara, an information technology firm that is focusing on helping small- and mid-sized manufacturers meet new Department of Defense (DoD) requirements. More specifically, Avatara is helping DoD suppliers prepare for Cybersecurity Maturity Model Certification (CMMC). While current regulations dictate that DoD suppliers constantly track and update their own security policies and report on progress, the new CMMC requires answering to third-party auditors, and doing so prior to the awarding of a contract rather than after the fact. “A lot of manufacturers are going to be caught flat-footed,” Mr. Watts says.
National security implications aside, Mr. Watts says a crisis for some can present opportunity for others. Based on Avatara’s experience with customers so far, the most significant areas of weakness involve practices and procedures that are rudimentary by modern cybersecurity standards, even if they take time and effort to implement. As he puts it, “If you don’t do this stuff, you’re nowhere near ready for CMMC. But really, a lot of it could be viewed as basic best practices for anyone.” Examples include:
Training Regularly
Although the specifics had not been published at the time of this writing, the CMMS builds directly on the current National Institute for Technology (NIST) 800-171 standard, which already specifies training for key employees. “You’ll have to show the auditors, ‘Here are the training sessions, here are which ones we passed and failed, and here’s what we’re doing about it if we failed,’” Watts says.
Even without auditing, staying up to date is essential because threats are ever-evolving, he says. For example, security technology might not be enough for shops that do not appreciate the power of social engineering tactics. Phishing, or the sending of fake emails to obtain passwords or other information, is a classic example. “Just having a firewall in place is not enough to prevent that,” he says, adding that formal training should include practicing fake attacks. “It’ll tell you ‘Bob clicked this link seven times,’ and then you can tailor your training to Bob.’”
Requiring Strong Passwords
Password policies — that is, the rules governing what makes a good password — could explain part of the reason for the prevalence of tactics like phishing. Mr. Watts says that following best practices for passwords is a requirement for CMMC Level 3, the minimum level of certification for most CNC machining businesses seeking DoD contracts. Examples include requirements for certain numbers of characters and symbols; requirements that passwords change regularly; limits on using identical passwords; and limits on log-in attempts.
Requiring Multi-Factor Authentication
Multi-factor authentication refers to the use of multiple means — that is, more than just a password — to verify that users are who they say they are. For instance, a bank might ask for both a log-in ID and the answers to personal security questions. This is good practice in general, but necessary for CMMC, Mr. Watts says.
Monitoring for Threats
As is the case with current NIST standards, CMMC requires monitoring incoming and outgoing data to detect attacks and potential indicators of attacks, Mr. Watts says. Examples include malicious code, communications with external systems, unusual traffic patterns and so forth. Likewise, records of data crossing a network are necessary to identify attackers, weak points and more in the event of a security breach.
Considering Security Beyond the Virtual
One of the simplest ways to steal sensitive data is to simply plug a USB stick into a computer or server. For its part, Avatara maintains all customers’ data in a private data center environment. Servers lack a port for any removable media, and are locked behind biometric access points and defended by armed guards. Manufacturers that opt to maintain their own information technology infrastructure may not go to these lengths, but precautions might be warranted even if the risk is more to a shop’s own financials rather than national security.
Related Content
Give Job Shop Digitalization a Customer Focus
Implementing the integrated digital technologies and automation that enhance the customer's experience should be a priority for job shops and contract manufacturers.
Read MoreProtecting Your Automation Investments
Shops need to look at their people, processes and technology to get the most of out their automation systems.
Read MoreHow this Job Shop Grew Capacity Without Expanding Footprint
This shop relies on digital solutions to grow their manufacturing business. With this approach, W.A. Pfeiffer has achieved seamless end-to-end connectivity, shorter lead times and increased throughput.
Read MoreShop Quotes Smarter, Works Harder with Machine Monitoring
Temco first installed MT-LINKi to optimize quoting. Now, the software helps the shop optimize its machines — and machine purchases.
Read MoreRead Next
When It Comes to Cybersecurity, Be Scared, but Be Prepared
Warnings about threats to internet-enabled networks in manufacturing plants should be taken seriously without giving in to alarmist overreactions. The risks are real, but manageable, while the benefits are too compelling to forego.
Read MoreCybersecurity for Job Shops
Small and medium-size machining job shops can take steps to protect computerized or networked assets such as CNC machines from cyber attacks.
Read More